Many New Zealand companies have an old-fashioned view of cyber security – and have traditionally not been good at maintaining secure systems, according to two industry experts.
David Nalder and Anthony Steele, partners in PwC's Assurance group, say Kiwi organisations need to treat cyber security as a business issue, not a technology problem, and raise their awareness of the risks surrounding the data they hold.
"I think the main challenge we've got is that the New Zealand psyche is by and large quite trusting," says Nalder. "It's the 'she'll be right' attitude and not always 'will things be right?'."
Nalder and Steele run PwC's Technology Risk business in New Zealand. The unit helps clients understand, risk manage, improve and ultimately gain confidence over how they manage technology-associated issues in their day-to-day business.
Their colleague, Adrian van Hest, will speak at the PwC Herald Talks – Cyber Security event in Auckland this month.
Nalder says most organisations give responsibility for cyber security to their IT or security teams and say, "It's your problem."
"It's not – it's actually a business problem because it goes to the heart of how organisations operate and keep trust with their providers or customers whose information they manage.
"They need to understand risks in this area, and have transparency around their management processes, to give them confidence that the system works, is secure, resilient and reliable, and that those assurances have been independently verified."
He says the old-fashioned views of cyber security held by many New Zealand companies – which they see merely as control of access or passwords - doesn't translate to new ways of working such as cloud-based service providers, the infrastructure and application of servers and the Internet of Things.
The step-change in the number of connected devices, the plethora of data they generate and sophisticated ways to direct workflow, make decisions, and collect data means organisations need to think about much more sophisticated security and the integrity of their processes.
Nalder says while there's a lot of focus around security, equal focus needs to go on integrity - are the systems doing the right thing; are they resilient and reliable; are they available when needed; have they been tested appropriately.
"Those security and integrity elements should go hand-in-hand. I think sometimes the public debate is too weighted towards the cliché of the hooded hacker sitting in a darkened room whereas the real risk is much more pervasive than that," he says.
Steele suggests many organisations don't fully understand what sensitive data is held or how it's stored. "To efficiently and effectively manage risk you actually need to know what you're protecting."
However, the need for security is far greater than protecting an organisation or client's privacy and data. New technologies have a different set of security needs and risks. Building trust is fundamental to alleviating risk, he says.
Nalder and Steele say that New Zealand companies have traditionally not been good at maintaining secure systems.
The 2019 PwC Digital Trust Insights report reinforces the view that New Zealand society is open and trusting. "That flows through to a general lack of awareness within organisations, particularly the SMEs, around the risk or exposures they face," he says.
"For example 81 per cent of New Zealand businesses expect the Internet of Things to be critical to their future success, yet only 29 per cent are 'very confident' they are building in sufficient controls. Globally, it was much higher." The UK rated 36 per cent, US 40 per cent and Australia 41 per cent.
Steele says organisations must ask themselves fundamental questions. "What information do I maintain? Where do I get it, how do I store it, how do I secure it? What are the management processes that make sure that my technology is secure and reliable, and where am I getting confidence from about the things I'm relying on?"
The biggest danger a company faces is losing the trust of their customers and stakeholders, he says, which underpins the need for keeping data secure.
Nalder adds: "Organisations are stewards of data they're entrusted with. They need to know they are appropriate stewards and be able to demonstrate the trust that's been given to them is well-founded."
With growing AI and robotic presence in the workplace, both believe New Zealand's institutional and private governance structures need to be improved.
Steele says organisations need to make the rules of the game clear. "By rules of the game I mean the policies and expectations of all staff and providers within or who support the organisation. Make it clear why that matters and provide some transparency in how the organisation has got confidence in those rules and obligations."
That begins at the board table, he says. "There's a role for the board and the governance of organisations in this, and that's around what sort of intelligence or information they are getting from their management team around how these risks are being managed.
"If you're driving that from the top it will flow through the organisation. Having a seat at the table for a chief information security officer, or a privacy officer, or a risk officer, or whatever title you put on it, is important."
Find out more at PwC.Heraldtalks.co.nz